diff options
author | Florian Westphal <fw@strlen.de> | 2022-01-11 12:08:59 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2022-01-11 12:35:07 +0100 |
commit | 8d443adfcc8c19effd6be9a9c903ee96e374f2e8 (patch) | |
tree | 16363b80397ce8e13873983f44896621497a3312 /src | |
parent | 07af4429241c9832a613cb8620331ac54257d9df (diff) |
evaluate: attempt to set_eval flag if dynamic updates requested
When passing no upper size limit, the dynset expression forces
an internal 64k upperlimit.
In some cases, this can result in 'nft -f' to restore the ruleset.
Avoid this by always setting the EVAL flag on a set definition when
we encounter packet-path update attempt in the batch.
Reported-by: Yi Chen <yiche@redhat.com>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'src')
-rw-r--r-- | src/evaluate.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 8edefbd1..437eacb8 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3621,6 +3621,7 @@ static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt) static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt) { + struct set *this_set; struct stmt *this; expr_set_context(&ctx->ectx, NULL, 0); @@ -3650,6 +3651,15 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt) "statement must be stateful"); } + this_set = stmt->set.set->set; + + /* Make sure EVAL flag is set on set definition so that kernel + * picks a set that allows updates from the packet path. + * + * Alternatively we could error out in case 'flags dynamic' was + * not given, but we can repair this here. + */ + this_set->flags |= NFT_SET_EVAL; return 0; } |